Author Topic: False-Positive report thread  (Read 80058 times)

Offline Ranjan Kumar

  • Newbie
  • *
  • Posts: 3
Re: False-Positive report thread
« Reply #120 on: October 25, 2016, 07:03:20 AM »
I'm using the latest ruleset and still having problems with 225130



Hello robertjw,

Can you please revert back with the exact version that you have deployed.

Thanks & Regards
Comodo cWatch Web Support Team.

Offline Ranjan Kumar

  • Newbie
  • *
  • Posts: 3
Re: False-Positive report thread
« Reply #121 on: October 25, 2016, 07:16:19 AM »
1. 211540
2. webmin latest

ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:t(?:able_name\\\\b|extpos^a-zA-Z0-9_{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ..." at ARGS_NAMES:object_id. file "/usr/local/cwaf/rules/23_SQL_SQLi.conf" line "18" id "211540" rev "5" msg "COMODO WAF: Blind SQL Injection Attack||host.com|F|2" data "Matched Data: object_id found within ARGS_NAMES:object_id: object_id" severity "CRITICAL" hostname "host.com" uri "/events/events-list" unique_id "WAcY3AXEJv8AAFJDCQMAAAAB"

how to disable it?

Thanks.



Hello miojamo,

It is not advised to disable any rules. We are working on it., and we will get back to you at the earliest. Can you please provide us with full Audit log for this event.

Thanks & Regards,
Comodo cWatch Web Support Team.
« Last Edit: October 25, 2016, 07:30:04 AM by Ranjan Kumar »

Offline 01i

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #122 on: November 24, 2016, 08:43:12 AM »
1. 220620
2. Wordpress Admin AJAX
3. [Thu Nov 24 13:03:25 2016] [error] [client #.#.#.#] ModSecurity: Access denied with code 503 (phase 2). Match of "rx ^\\\\d+(px)?$" against "ARGS:width" required. [file "/var/cpanel/cwaf/rules/29_Apps_WPPlugin.conf"] [line "135"] [id "220620"] [rev "1"] [msg "COMODO WAF: XSS vulnerability in the SoundCloud Is Gold plugin 2.1 for WordPress (CVE-2012-6624)||[[DOMAIN]]|F|2"] [severity "CRITICAL"] [hostname "[[DOMAIN]]"] [uri "/wp-admin/admin-ajax.php"] [unique_id "WDblHQoBATEAAA3YYyMAAAAK"]

This particular rule has been implemented on the surface due to a vulnerability in SoundCloud is Gold plugin, but would actually seem to be representative of a default submission of the Core Wordpress Admin Ajax form, without including an often irrelevant width parameter. If you do a google search for various parts of this rule, you find several examples of people reporting broken functionality in plugins accessing the wordpress admin ajax script.

I personally came across this error in the Toolset Layouts plugin (https://wp-types.com).

Now, every time I see this rule mentioned in an error report, the resolution is to disable the rule, which seems kind of pointless having a rule that causes so many false positives that the standard practice is to disable it.

Looking at the regular expression, it's enforcing something in an overzealous way. For example, if the rule is trying to prevent XSS attack data being added to the width field, why does width need to contain data at all? Any XSS attack would include data in the width POST so an empty width should be safe (and yet it fails). In addition, why does the width have to be a non decimal integer measured in pixels? These are more valid length units than just px (with the variety of these units increasing frequently), and yet using the majority of them would cause the rule to be triggered (width=12.5%, width=200em, width=56.9pt, width=0).

With the modern trend towards mobile responsive web design, em is becoming used more than px, and as people move further towards using mobile phones as a primary browsing source, the newer units like vh, vw, vmin, vmax will become more popular.

Would it not make sense for the regular expression to be a little less strict?

width=^$
width=^\d+$
width=^\d+(em|ex|\%|px|cm|mm|in|pt|pc|ch|rem|vh|vw|vmin|vmax)$
width=^\d+\.\d+(em|ex|\%|px|cm|mm|in|pt|pc|ch|rem|vh|vw|vmin|vmax)$

All of the previous regexps (at the very least) should be able to be passed into a POST containing the value width, without triggering a modsecurity block. That way, the rule could be left as intended to secure "/wp-admin/admin-ajax.php" without triggering on acceptable uses, and whitelisted on a per script basis if reporting as a false positive on other scripts. As it's only intended to be used to secure that one script, whitelisting just that script (which would be the next best thing to turning the rule off), is identical to turning the rule off. Worse in fact, because it can then only trigger for a false positive.

e.g.

^(?:.{0}|(?:\d+|\d+\.\d+))(?:.{0}|(?:[ ]{0,1}(?:em|ex|\%|px|cm|mm|in|pt|pc|ch|rem|vh|vw|vmin|vmax)))$
« Last Edit: November 24, 2016, 10:02:25 AM by 01i »

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #123 on: November 24, 2016, 10:48:51 AM »
Hello,

thank you for your such detailed analysis, we'll find proper solution for this rule and release it within next update.

Offline miojamo

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #124 on: December 08, 2016, 05:55:47 AM »
1. 211540
2. VIRTUALMIN

Thanks for doing great work I have problems with the rule 211540

Thu Dec 08 09:33:21.334171 2016 :error pid 10266 client IP ModSecurity: Access denied with code 403 (phase 2). Pattern match '(?i:\\\\b(?:t(?:able_name\\\\b|extpos^a-zA-Z0-9_{1,}\\\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o ...' at ARGS_NAMES:object_id. file '/usr/local/cwaf/rules/23_SQL_SQLi.conf' line '18' id '211540' rev '5' msg 'COMODO WAF: Blind SQL Injection Attack||domain.com|F|2' data 'Matched Data: object_id found within ARGS_NAMES:object_id: object_id' severity 'CRITICAL' hostname 'domain.com' uri '/index.php' unique_id 'WEko4QXEJv8AACgad[at]0AAAAJ'

The webpage gives:
Forbidden
You don't have permission to access /index.php on this server.
« Last Edit: December 08, 2016, 05:57:23 AM by miojamo »

Offline limithat

  • Newbie
  • *
  • Posts: 17
Re: False-Positive report thread
« Reply #125 on: December 13, 2016, 03:00:58 AM »
Hi miojamo,
We are working on it and will get back to you as soon as possible. Can you please let us know the version that you are using?

Thank you.

Regards,
Comodo cWatch Web Support Team.
« Last Edit: December 15, 2016, 05:18:58 AM by limithat »

Offline miojamo

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #126 on: December 17, 2016, 05:17:08 AM »
Hi,

Current rules version    1.104 (Latest version)
CWAF plugin version    2.17
Web Platform    Apache
Apache version    2.4.18
Mod_security compatible    yes
Mod_security loaded    yes

Offline limithat

  • Newbie
  • *
  • Posts: 17
Re: False-Positive report thread
« Reply #127 on: December 19, 2016, 02:27:43 AM »
Hi,

Can you please let us know the VirtualMin version that you are using?

Thank you.

Regards,
Comodo cWatch Web Support Team.

Offline miojamo

  • Newbie
  • *
  • Posts: 5
Re: False-Positive report thread
« Reply #128 on: December 19, 2016, 02:36:17 AM »
Hello,

Operating system    Ubuntu Linux 16.04
Webmin version    1.821
Virtualmin version    5.05

Thank you,

Offline garconcn

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #129 on: January 12, 2017, 11:34:11 AM »
Client tried to update Google map in wordpress, why "goo.gl" is a malicious site name?

[Thu Jan 12 07:48:59.084461 2017] [:error] [pid 650020] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "goo.gl" at ARGS:data[wp_autosave][content]. [file "/var/cpanel/cwaf/rules/03_Global_Domains.conf"] [line "23"] [id "210920"] [rev "2"] [msg "COMODO WAF: Malicious site name found in request||www.domain.com|F|2"] [data "https:/"] [severity "CRITICAL"] [hostname "www.domain.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "WHela0LihgEACeskLZMAAABN"]


Current rules version    1.108 (Latest version)
CWAF plugin version    2.17
Web Platform    Apache
Apache version    2.4.18
Mod_security compatible    yes
Mod_security loaded    yes
Mod_security conf    /usr/local/apache/conf/modsec2.conf

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #130 on: January 12, 2017, 12:10:54 PM »
Client tried to update Google map in wordpress, why "goo.gl" is a malicious site name?

[Thu Jan 12 07:48:59.084461 2017] [:error] [pid 650020] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "goo.gl" at ARGS:data[wp_autosave][content]. [file "/var/cpanel/cwaf/rules/03_Global_Domains.conf"] [line "23"] [id "210920"] [rev "2"] [msg "COMODO WAF: Malicious site name found in request||www.domain.com|F|2"] [data "https:/"] [severity "CRITICAL"] [hostname "www.domain.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "WHela0LihgEACeskLZMAAABN"]


Current rules version    1.108 (Latest version)
CWAF plugin version    2.17
Web Platform    Apache
Apache version    2.4.18
Mod_security compatible    yes
Mod_security loaded    yes
Mod_security conf    /usr/local/apache/conf/modsec2.conf

Such false positive taken place in previous version (1.107) but current version (1.108) doesn't contain "goo.gl" in domains blacklist. Make sure that you are using really latest ruleset, also you can always get latest release at https://waf.comodo.com/

Offline Xavior82

  • Newbie
  • *
  • Posts: 7
Re: False-Positive report thread
« Reply #131 on: January 16, 2017, 05:41:21 PM »
We've followed all false positive reports over the past week and 220030 has been our top contender for false positives (at least 5 reported cases over the last week, on different domains). I would recommend this rule be immediately removed until an appropriate replacement can be found

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 370
Re: False-Positive report thread
« Reply #132 on: January 17, 2017, 11:28:16 AM »
We've followed all false positive reports over the past week and 220030 has been our top contender for false positives (at least 5 reported cases over the last week, on different domains). I would recommend this rule be immediately removed until an appropriate replacement can be found
You can disable this rule if you aren't using PHP before 5.3.12 and 5.4.x before 5.4.2.

Offline ha.tech.support

  • Newbie
  • *
  • Posts: 1
Re: False-Positive report thread
« Reply #133 on: February 08, 2017, 05:41:33 PM »
1. 211000
2. [Wed Feb 08 15:58:46.130510 2017] [:error] [pid 7831:tid 140416041064192] [client 104.166.227.204] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /ajax.php/imp/sendmessage" against "REQUEST_FILENAME" required. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/01_Global_Generic.conf"] [line "14"] [id "211000"] [rev "5"] [msg "COMODO WAF: System Command Injection||hai3.srva.org|F|2"] [data "Matched Data: curl found within ARGS:f_fnd_na_last: /pvt/in_find.c.php"] [severity "CRITICAL"] [hostname "hai3.srva.org"] [uri "/pvt/IN_find.C.php"] [unique_id "WJuUlsY5o4EAAB6XnfwAAAAI"]

3.  Trying to find a last name containing curl
String in field is either curl or %curl

Assistance other than commenting out this rule???
Thanks in advance

Offline PRO ISP

  • Newbie
  • *
  • Posts: 16
Re: False-Positive report thread
« Reply #134 on: February 10, 2017, 04:08:15 AM »
1. False-Positive RuleId

>> 220960

2. Web application + version

>> CMS Made Simple (CMSMS)
>> Version - 2.1.5

3. Request headers or at least debug log

[Thu Feb 09 22:13:40.493872 2017] [:error] [pid 271807] [client 91.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "moduleinterface\\\\.php" at Request_FILENAME. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "598"] [id "220960"] [rev "1"] [msg "COMODO WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||domain.tld|F|2"] [severity "CRITICAL"] [hostname "domain.tld"] [uri "/adminsite/moduleinterface.php"] [unique_id "WJzbhC760oIABCW-aMoAAAAQ"]
[Thu Feb 09 22:14:16.930272 2017] [:error] [pid 272624] [client 91.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "moduleinterface\\\\.php" at Request_FILENAME. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "598"] [id "220960"] [rev "1"] [msg "COMODO WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||domain.tld|F|2"] [severity "CRITICAL"] [hostname "domain.tld"] [uri "/adminsite/moduleinterface.php"] [unique_id "WJzbqC760oIABCjwLUkAAAAV"]

[Thu Feb 09 22:05:44.025240 2017] [:error] [pid 266531] [client 85.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "moduleinterface\\\\.php" at Request_FILENAME. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "598"] [id "220960"] [rev "1"] [msg "COMODO WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||domain.tld|F|2"] [severity "CRITICAL"] [hostname "domain.tld"] [uri "/adminsite/moduleinterface.php"] [unique_id "WJzZqC760oIABBEjD7QAAAAL"]
[Thu Feb 09 22:11:11.434213 2017] [:error] [pid 271114] [client 85.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Pattern match "moduleinterface\\\\.php" at Request_FILENAME. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "598"] [id "220960"] [rev "1"] [msg "COMODO WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||domain.tld|F|2"] [severity "CRITICAL"] [hostname "domain.tld"] [uri "/adminsite/moduleinterface.php"] [unique_id "WJza7y760oIABCMKtowAAAAh"]
« Last Edit: February 10, 2017, 04:56:27 AM by Titans »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek